Test TLS Functionality Using the Unified Messaging Test Phone

  • Article

[This is pre-release documentation and subject to change in future releases. This topic's current status is: Milestone-Ready.]

Applies to: Exchange Server 2010 Beta* *Topic Last Modified: 2008-10-26

One of the most important ways to help protect your Microsoft Exchange Server 2010 Unified Messaging (UM) infrastructure and the network traffic generated by Unified Messaging is by using mutual Transport Layer Security (TLS). You can use mutual TLS to encrypt Session Initiation Protocol (SIP) traffic passed among IP gateways, IP Private Branch eXchanges (PBXs), and other servers running Exchange 2010 and the Unified Messaging servers on your network. Using mutual TLS to encrypt the SIP data helps protect this data.

After you have used the VoIPSecurity parameter on the Set-UMDialPlan cmdlet to enable Voice over IP (VoIP) security on the UM dial plan, all Unified Messaging servers associated with the UM dial plan will be configured to use secured mode. However, depending on the type of certificate that you use to enable mutual TLS, you must first import and export the required certificates on the Unified Messaging servers and the IP gateways and IP PBXs.

This topic explains how to use the UM Test Phone to test your mutual TLS configuration to make sure that it's functioning correctly.

Before You Begin

Before you can run the Exchange UM Test Phone application, you must set up and configure the client computer by installing the appropriate audio devices, audio drivers, speakers, and a microphone. The Exchange UM Test Phone application streams the audio to the audio devices configured on the client computer from the Unified Messaging server. Verify that these devices are connected and working correctly before you run the Exchange UM Test Phone application on a client computer. For more information about how to set up the UM Test Phone, see Set Up the Unified Messaging Test Phone.

To perform the following procedures, the account you use must be delegated the following:

  • Exchange Organization Administrator role.
  • Membership in the local Administrators group on the computer running the UM Test Phone.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2010, see Important: Update for Permissions in Exchange 2010.

Also, before you perform these procedures, confirm the following:

  • The Microsoft Exchange Unified Messaging service is running in SIP secured mode.
  • If the Microsoft Exchange Unified Messaging service is using a self-signed certificate, the certificate should be exported from the Personal certificate store to a file, and then stored in a location that can be accessed from the host computer running the Exchange UM Test Phone application.
  • A UM dial plan has been created.
  • A UM auto attendant has been created.
  • The Unified Messaging server has been added to a UM dial plan.
  • The UM dial plan security mode is set to SIP secured.
  • The Exchange UM Test Phone application has been installed and configured correctly.
  • For more information about the different types of certificates that can be used with Unified Messaging, see Understanding Unified Messaging VoIP Security.

Procedure

To generate a self-signed certificate for mutual TLS

  1. Open the Exchange UM Test Phone application by double-clicking ExchangeUMTestPhone.exe.

  2. In the Exchange UM Test Phone window, click Tools, and then click Setup.

  3. On the Setup page, under Call Security Settings, click SIP secured (TLS) to generate a self-signed certificate.

  4. Verify that the Personal certificate store on the host computer running the Exchange UM Test Phone application contains the self-signed certificate. Verify that a self-signed certificate was generated with the fully qualified domain name (FQDN) of the host as the subject name and that the intended purpose for the certificate is Server Authentication.

    Note

    If the self-signed certificate isn't generated, verify that you're a member of the local Administrators group.

  5. Export the self-signed certificate using the Base-64 encoded X.509 (.CER) format.

  6. Follow the steps in the Certificate Export Wizard to export the certificate in the Base-64 encoded X.509 (.CER) format to a file, and then store the file in a location that can be accessed by the Unified Messaging server.

  7. Use the Certificate Import Wizard to import the self-signed certificate into the Trusted Root Certification Authorities store on the Unified Messaging server.

    Important

    A self-signed certificate won't be generated if the UM Test Phone finds another certificate in the Personal certificate store that lists the FQDN of the host computer as the subject name and for which the intended purpose is Server Authentication.

For more information about how to import and export certificates, see Import and Export Certificates.

To generate a request and import a PKI certificate

  1. Use the Request New Certificate wizard to generate a certificate request using the FQDN of the host computer as the subject name and identify the intended purpose as Server Authentication. Use a certification authority (CA) configured on your network to issue a certificate for the request.

  2. Import the certificate into the Personal certificate store on the host computer running the Exchange UM Test Phone application.

  3. Import the trusted root certificate from the public key infrastructure (PKI) CA into the Trusted Root Certification Authorities store on the host computer running the Exchange UM Test Phone application.

    Important

    You can also use this procedure to generate a certificate request for a third-party or commercial certificate, and then import the certificate into the Personal certificate store on the host computer. However, Server Authentication must be identified as its intended purpose.

To test a Unified Messaging server in secured mode

  1. Open the Exchange UM Test Phone application by double-clicking ExchangeUMTestPhone.exe.

  2. In the Exchange UM Test Phone window, click Tools, and then click Setup.

  3. In Server Settings, type the host name of the Unified Messaging server in the Server Address field.

  4. Click the Make Call button to place the call to a UM auto attendant. The Make Call button is a green telephone icon in the Exchange UM Test Phone window.

  5. Follow the voice prompts for the UM auto attendant.

  6. In the Exchange UM Test Phone application, click Hang Up to disconnect the call after you complete the test.

For More Information